class IMAGE_COR20_HEADER(pstruct.type): def blocksize(self): return self['cb'].li.int() _fields_ = [ (pint.uint32_t, 'cb'), (pint.uint16_t, 'MajorRuntimeVersion'), (pint.uint16_t, 'MinorRuntimeVersion'), (dyn.clone(IMAGE_DATA_DIRECTORY, _object_=MetaDataRoot), 'MetaData'), (CORIMAGE_FLAGS_, 'Flags'), (pint.uint32_t, 'EntryPoint'), (dyn.clone(IMAGE_DATA_DIRECTORY, _object_=lambda s: dyn.blockarray( ResourceInfo, s.getparent(IMAGE_DATA_DIRECTORY)['Size'].li.int())), 'Resources'), (IMAGE_DATA_DIRECTORY, 'StrongNameSignature'), (IMAGE_DATA_DIRECTORY, 'CodeManagerTable'), (dyn.clone(IMAGE_DATA_DIRECTORY, _object_=lambda s: dyn.blockarray( VtableFixup, s.getparent(IMAGE_DATA_DIRECTORY)['Size'].li.int())), 'VTableFixups'), (IMAGE_DATA_DIRECTORY, 'ExportAddressTableJumps'), (IMAGE_DATA_DIRECTORY, 'ManagedNativeHeader'), ]
def test_str_szwstring_blockarray(): data = '3d 00 3a 00 3a 00 3d 00 3a 00 3a 00 5c 00 00 00 65 00 2e 00 6c 00 6f 00 67 00 00 00 00 00 ab ab ab ab ab ab ab ab'.replace(' ','').decode('hex') source = ptypes.prov.string(data) t = dyn.blockarray(pstr.szwstring, 30) a = t(source=source).l if (a[0].str(),a[1].str(),a[2].str()) == ('=::=::\\','e.log','') and a[2].blocksize() == 2 and len(a) == 3: raise Success
class IMAGE_DYNAMIC_RELOCATION(pstruct.type): _fields_ = [ (uint32, 'Symbol'), (uint32, 'BaseRelocSize'), (lambda s: dyn.blockarray(uint32, s['BaseRelocSize'].li.int()), 'BaseRelocations'), ]
class IMAGE_DYNAMIC_RELOCATION64(pstruct.type): _fields_ = [ (realaddress(VOID, type=ULONGLONG), 'Symbol'), (DWORD, 'BaseRelocSize'), (lambda self: dyn.blockarray(DWORD, self['BaseRelocSize'].li.int()), 'BaseRelocations'), ]
class ResourceManagerHeader(pstruct.type): _fields_ = [ #(pint.uint32_t, 'Magic'), (pint.uint32_t, 'Version'), (pint.uint32_t, 'Size'), (lambda s: dyn.blockarray(ResourceString, s['Size'].li.int()), 'Parsers'), ]
def __DynamicRelocations(self): p, version = self.getparent( IMAGE_LOAD_CONFIG_DIRECTORY), self['Version'].li if version.int() < 2: if isinstance(p, IMAGE_LOAD_CONFIG_DIRECTORY32): t = IMAGE_DYNAMIC_RELOCATION32 elif isinstance(p, IMAGE_LOAD_CONFIG_DIRECTORY64): t = IMAGE_DYNAMIC_RELOCATION64 else: raise TypeError(p) return dyn.blockarray(t, self['Size'].li.int()) # FIXME: Reverse what the 32-bit version of this structure should look like # and more importantly how the size fits into this... raise NotImplementedError(version.int()) return IMAGE_DYNAMIC_RELOCATION64_V2
class UNWIND_INFO(pstruct.type): class _Header(pbinary.struct): _fields_ = [ (UNW_FLAG_, 'Flags'), (3, 'Version'), ] class _Frame(pbinary.struct): _fields_ = [ (4, 'Offset'), (4, 'Register'), ] class _HandlerInfo(pstruct.type): _fields_ = [(virtualaddress(ptype.undefined, type=dword), 'ExceptionHandler'), (virtualaddress(FuncInfo, type=dword), 'ExceptionData')] def __HandlerInfo(self): res = self['Header'].li flags = res.item('Flags') return self._HandlerInfo if any( flags[item] for item in ['EHANDLER', 'UHANDLER', 'FHANDLER' ]) else ptype.undefined def __FunctionEntry(self): res = self['Header'].li flags = res.item('Flags') return RUNTIME_FUNCTION if flags['CHAININFO'] else ptype.undefined _fields_ = [ (_Header, 'Header'), (byte, 'SizeOfProlog'), (byte, 'CountOfCodes'), (_Frame, 'Frame'), (lambda self: dyn.blockarray(UNWIND_CODE, 2 * self['CountOfCodes'].li. int()), 'UnwindCode'), (dyn.align(4), 'align(ExceptionHandler)'), # FIXME: this was copied from IDA (__HandlerInfo, 'HandlerInfo'), (__FunctionEntry, 'FunctionEntry'), ]
def __Children(self): fields = ['wLength', 'wValueLength', 'wType', 'szKey', 'Padding1', 'Value', 'Padding2'] length, cb = self['wLength'].li.int(), sum(self[fld].li.size() for fld in fields) if cb > length: raise AssertionError("Invalid block size returned by {!s} for child: {:d} > {:d}".format(self.instance(), cb, length)) size = max(0, length - cb) # If our class implements a .Children() method, then use that to determine the type. attribute = getattr(self, 'Children') if hasattr(self, 'Children') else None if callable(attribute): return self.Children(size) # Otherwise, use the key to lookup the type in our definition. cls, key = self.__class__, self['szKey'].li.str() if cls is not RT_VERSION: logging.debug("{:s} : No type callback implemented for Children in {!r}. Searching for one instead.".format('.'.join([cls.__module__, cls.__name__]), key)) # And then use that type to build the array of children. res = RT_VERSION_EntryType.lookup(key) return dyn.blockarray(res, size)
def __DynamicRelocations(self): # FIXME: figure out how to determine the type and size properly t = IMAGE_DYNAMIC_RELOCATION return dyn.blockarray(t, self['Size'].li.int())
def __entries(self): bs, res = self.blocksize(), sum(self[fld].li.size() for fld in ['Signature']) return dyn.blockarray(LTCG_ENTRY, max(0, bs - res))
def Children(self, length): return dyn.blockarray(RT_VERSION, length)
def ValueType(self, length): return dyn.blockarray(dword, length)
def Children(self, size): return dyn.blockarray(RT_VERSION_String, size)